Christian Folini | 29 Apr 20:46 2016

Re: Content-Disposition-Header created by Java Jersey client libraries 1.x is rejected as invalid (due to modification-date)

Hello J. Fiala,

I have never seen this modification-date field in the wild. According
to https://greenbytes.de/tech/webdav/draft-reschke-rfc2183-in-http-latest.html
it's not implemented in any user-agent.

Well, that information is now outdated and the Jersey libraries have
the merit of implementing this for the first time, 19 years after
the RFC came out.

Jokes aside: Please file a bug / feature request on github.

Ahoj,

Christian

On Fri, Apr 29, 2016 at 12:25:08PM +0200, J. Fiala wrote:
> Hello,
> 
> I'm using the Java Jersey client libraries (using current latest version 
> 1.19.1) to send a Http Multipart Request including a file.
> 
> Currently the Content-Disposition is assembled this way:
> 
> Content-Disposition: form-data; filename="myfile.txt"; 
> modification-date="Mon, 25 Apr 2016 10:40:18 GMT"; size=46; name="file"
> 
> This sould be conforming to RFC 2183 (https://tools.ietf.org/html/rfc2183).
> 
> However, the Content-Disposition Header is currently rejected by Apache 
(Continue reading)

Shorn Tolley | 28 Apr 04:46 2016
Picon

Are there any versions of ModSecurity that work well with supported versions of Nginx?

I'm building Nginx and ModSecurity together in order to use the OWASP- Core Rule Set Project.
According to the modsecurity download page, the latest version of modsecurity (2.9.1) is not stable when
used with Nginx. This is consistent with my experience (not working properly on either Nginx 1.8.x or
1.9.x). I've also tried the nginx_refactoring branch of ModSecurity, but that's non-functional
too - and it hasn't seen a commit in nearly 2 years anyway.

I feel like I've been wasting my time trying to get various versions of modsecurity and nginx working together.
Is there any currently supported combination of ModSecurity and a supported version of Nginx that is known
to be working?

I've tried the libmodsecurity branch too, but that doesn't seem to work properly either.  
The new stable branch of Nginx was released this week (1.10.x) - are there any plans to get libmodsecurity
branch synchronised with it in the near term?  Am I just wasting my time if I try to get it working?

If I can get modsec/nginx working together - does TrustWave actually support that for the commercial ruleset?

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

(Continue reading)

Cr3a70r | 26 Apr 17:45 2016
Picon

[CRS rules] CRS rules not saving from SQL-Injections

Hello. 
I have inabled CRS sql-injection rules upon my VPS server. 
Made a test database with login-password and set up a php post-form without any filter on user-input. 
After this I tried sqlmap on this php post-form and successfully exploited SQL-Injection. 
How is that possible? 
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 26 Apr 13:56 2016

Working with pseudo-random numbers for conditional rule execution

Hi there,

Yesterday, I talked to a customer about enabling rules for a limited
percentage of requests. Selected by random.

The obvious blocker with ModSecurity is the lack of an easily accessible
random function. Here is a blog post about workarounds to generate
random numbers from within ModSecurity. Not cryptolevel randomness,
but good enough for a bit of sampling.

https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/

Feedback welcome!

Christian

-- 
mailto:christian.folini <at> netnea.com
http://www.christian-folini.ch
twitter:  <at> ChrFolini

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Christian Folini | 26 Apr 05:42 2016

Sanitising Apache Error-Log

Hi there,

The sanitization functions of ModSec focus on the audit-log.

I wonder if anybody has a good way to sanitise the error-log:

[2016-04-26 05:38:54.698877] [-:error] 127.0.0.1:51380 \
Vx7izn8AAQEAAGymTLUAAAAF [client 127.0.0.1] ModSecurity: Warning. \
Pattern match "(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+" \
at ARGS:password. \
[file "/core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] \
[line "55"] [id "981260"] [rev "2"] \
[msg "SQL Hex Encoding Identified"] \
[data "Matched Data: t0xab0 found within \
ARGS:password: mysecret0xab0"] [severity "CRITICAL"] \
[ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] \
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] \
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] \
[hostname "localhost"] [uri "/index.html"] \
[unique_id "Vx7izn8AAQEAAGymTLUAAAAF"]

This is surprisingly difficult, it seems.

Ahoj,

Christian

-- 
A happy life consists not in the absence, but in the mastery of
hardships.  
--- Helen Keller

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

刘斌 | 23 Apr 07:11 2016

'SecResponseBodyLimit' not working for nginx

Hi,
    I am using modsecurity add nginx reverse proxy, my web server support file downloading, I found the memory is exhausted by nginx when user downloading big files, I tried to set 'SecResponseBodyLimit' to lower but have no effect even if set 'SecResponseBodyAccess' to Off...
    I have tried both modsecurity 2.9.1 add ngx_refactoring branch, neither can work.
    Finally, I checked the source code, add it seems that these related config options haven`t been implemented for nginx, right?
    Waitting for your help, thank you.


 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 16 Apr 14:20 2016
Picon

nginx refactoring problem with backend error codes and post request

Hi all

Using modescurity with nginx(refactoring branch) regardless of you set the SecRuleEngine to DetectionOnly, it actively blocks the post requests which has error code 50x in any single part of response body.

For example if the back-end server response is a complete web page with a single image missed the modsecurity(in DetectionOnly mode) will block the request.

Any Suggestion is appreciated.

P.S. Using CRS rule set the 970901 rule will be fired!

--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Mihai Christodorescu | 14 Apr 23:50 2016
Picon
Gravatar

Trouble with libmodsecurity


I am trying out libmodsecurity from github. I built the library and then
tried the tests.

* test/regresssion_tests passes

* test/unit_tests crashes right away
#0  0x00007f0263cc6920 in
std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*) ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x000000000041fcfa in _M_insert<std::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&> (
    __position=..., this=0x400) at /usr/include/c++/4.8/bits/stl_list.h:1562
#2  push_back (__x="", this=0x400) at
/usr/include/c++/4.8/bits/stl_list.h:1016
#3  modsecurity::operators::Rx::evaluate (this=<optimized out>,
transaction=0x0, input=...) at operators/rx.cc:33
#4  0x0000000000409fd0 in perform_unit_test (t=t <at> entry=0x254dff0,
res=res <at> entry=0x7ffd92e94c90) at unit/unit.cc:55
#5  0x00000000004079ef in main (argc=<optimized out>, argv=<optimized
out>) at unit/unit.cc:98

* test/benchmark/benchmark errors out (after running
test/benchmark/download-owasp-v3-rules.sh):
$ ./benchmark
Problems loading the rules...
Something wrong with the input format

This is on Ubuntu 14.04. Any ideas on how to get the OWASP v3 rules working?

Thanks,

Mihai

-- 
 mihaic <at> gmail.com
-------------------------------------------------------
  The man of knowledge must be able not only to love
 his enemies but also to hate his friends.
                                 - Friedrich Nietzsche

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Saddar Toufik | 12 Apr 10:31 2016
Picon

Logging In LibModsecurity

Hi,
I used scapy to sniff HTTP trafic, (request,response), "passive mode"
I used libModscurity wih python-bidings

I used transaction.processLogging(403) function to logging alert

I have succesful generate alerts and log in modsec_audit.log file but I have only Parts A, B  of alerts  "SecAuditLgPart ABIJDEFHKZ" but not others (especially K)

please Help Me
Thanks 
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
rewt rewt | 8 Apr 10:55 2016

SecRemoteRules limitations (SecRuleInheritance issues)

Dear All,
Since the implementation of SecRemoteRules for Trustwave commercial rules download we are encoutnering an issue...
Indeed SecRemoteRules can be used only once on a server. (you cannot use it in several Vhosts)

Furthermore if you use SecRuleInheritance Off to limit the overlap or have specific rules for each virtualhosts, you cannot use SecRemoteRules (in httpd.conf for example) as the downloaded rules will not be applicated in the sub virtualhosts due to "SecRuleInheritance Off" directive.

For me it looks like a bug (aka missing features), indeed it should be possible to:
- Use multiple SecRemoteRule for each vhosts in the case of using "SecRuleInheritance Off"
OR / AND
- Having a specific directive related to SecRuleInheritance to be able to specify that RemoteRule can be inherited...

It is a big problem for us and at this time we did not found any valuable solution.

Any idea would be much appreciated (as i don't understand how other people using SecRuleInheritance Off are doing using remote commercial rules...)

Kind regards,

David R

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Meetesh Barua | 30 Mar 01:11 2016
Picon

ModSecurity and IIS multi site

Hi,
I'm wondering if it is possible to make mod security work when we have multiples sites enabled in IIS config. I know it can be enabled in apache with "Location" directive. In IIS, it has <sites>. Just wondering if  we can enable/configure modsec per site basis in IIS.
Thanks.
-M
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane